Replace example.com with your domain. All occurrences of the string 'mail' are know as the selector and can be any alpha numeric string.
Install opendkim:
$ sudo apt-get install opendkim opendkim-tools
Confirm opendkim user was created:
$ grep opendkim /etc/passwd
opendkim:x:111:117::/var/run/opendkim:/bin/false
Make a place for our keys and switch to it:
$ sudo mkdir -p /etc/opendkim/keys/example.com && cd $_
Make the key pair with selector 'mail' and domain 'example.com':
$ sudo opendkim-genkey -t -s mail -d example.com
Let opendkim own the private key:
$ sudo chown opendkim:opendkim mail.private
Display the public record:
$ cat mail.txt
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVdGDSUwQLSPmQcbNPoZzorVZQmU25g8byhVlshY16kp/Nc4vA9CUTNZR8m0P8NJSMnsQ4DgjXSjVYu0pXdj5zjPEV6ik+BKnFxj2Y8BbP+bMm+Ou92yxhNgDT4YwhtBO5ZCauLnoPEz1ygSLRRRc8qiHc99wxiHwU/GNw7f/gTQIDAQAB" ) ; ----- DKIM key mail for example.com
Add the above name and value to a txt record in the dns for example.com (use a low TTL for testing).
See if the record is live:
$ dig +short mail._domainkey.example.com txt
"v=DKIM1\; k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVdGDSUwQLSPmQcbNPoZzorVZQmU25g8byhVlshY16kp/Nc4vA9CUTNZR8m0P8NJSMnsQ4DgjXSjVYu0pXdj5zjPEV6ik+BKnFxj2Y8BbP+bMm+Ou92yxhNgDT4YwhtBO5ZCauLnoPEz1ygSLRRRc8qiHc99wxiHwU/GNw7f/gTQIDAQAB"
Now verify the public/private key pair:
$ sudo opendkim-testkey -d example.com -s mail -k /etc/opendkim/keys/example.com/mail.private \
&& echo 'valid key pair'
Edit /etc/default/opendkim as root and add default socket for dkim:
SOCKET="inet:8891@localhost"
Edit /etc/opendkim.conf as root:
UserID opendkim:opendkim
Domain example.com
KeyFile /etc/opendkim/keys/example.com/mail.private
Selector mail
Socket inet:8891@localhost
Canonicalization relaxed/simple
OversignHeaders From
Start the dkim service:
$ sudo service opendkim start
Starting OpenDKIM: opendkim.
Verify that port 8891 is open:
$ netstat -an | grep '127.0.0.1:8891'
tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN
Edit /etc/postfix/main.cf as root (add near top):
## DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
now restart postfix
sudo service postfix restart
Send a message to yourself and look for the DKIM-Signature header. Then try this service to verify the dkim-sig (and other things): http://www.mail-tester.com/